LAW enforcement agencies have taken down the First VPN service and arrested its administrator in Ukraine, dealing a blow to cybercriminals who relied on the platform for anonymity.
The VPN was marketed on Russian‑language forums, promising encrypted tunnels for a subscription fee, and investigators say the operators maintained 33 servers in various countries while seizing three primary domains over May 19‑20 2026, according to Infosecurity Magazine.
Although the service advertised a strict no‑logs policy, the seized user database retained connection timestamps, IP addresses and payment details, contradicting that claim and giving investigators a direct link between activity and identity, as reported by Cybernews.
The platform had featured in almost every major Europol‑supported cybercrime investigation over the past year, with ransomware groups and fraudsters using it to hide command‑and‑control traffic and stolen data flows, and the operation has already supplied leads for 21 ongoing cases while yielding information on more than 500 individuals linked to illicit activity, according to Eurojust.
No specific threat actor has been named in the takedown, but analysts note the infrastructure was known to host affiliates of ransomware families such as LockBit and Clop, as well as card‑sharing forums, and the disruption is expected to force these groups to seek alternative anonymity services, according to databreaches.net.
Defenders should examine firewall and proxy logs for connections to the seized IP addresses and domains, block those ranges, and hunt for any lingering credentials or tokens that may have been issued by the service, guidance echoed by Infosecurity Magazine.
Organizations that rely on third‑party VPNs for remote access should verify vendor transparency, enforce multi‑factor authentication, and consider terminating any service that cannot provide verifiable no‑logs assurances, advice highlighted by Cybernews.